Community
User Guides
Support
Community
Help Forums
English Forum
General
About our Community
General Discussion
News and Feedback
Products
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Beta programs
Feature Requests
Finnish Forum (Tukifoorumi)
Tuotteet Kotiin
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Muut tietoturvatuotteet
Support Articles
Language
English
Suomi
Deutsch
Français
日本語
Svenska
Dansk
Italiano
Nederlands
Norsk
Polski
中文 (繁體)
Products & Services
F-Secure TOTAL
F-Secure SAFE / Internet Security / Anti-Virus
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Common topics
User Guides
Support
Login
|
Register
How to configure Elements Endpoint Protection (PSB) Software Updater (SWUP) Proxy with F-Secure Endpoint Proxy? - F-Secure Community
<main> <article class="userContent"> <h3 data-version="10" data-article="000019006" data-id="issue">Issue:</h3> <p>How to configure Elements Endpoint Protection (PSB) Software Updater (SWUP) Proxy with F-Secure Endpoint Proxy?</p> <h3 data-id="resolution">Resolution:</h3> <p></p><p>You need to do the following to setup F-Secure Endpoint Proxy to offer software updates:</p> 1. Install F-Secure Policy Manager Proxy following the steps documented in the <a rel="nofollow" href="https://community.f-secure.com/psb-en/kb/articles/5675-using-f-secure-endpoint-proxy-with-a-computer-protection-profile">guide</a>: <p id="UsingFSecureEndpointProxywithSoftwareUpdater-Obtainandprepareacertificate"><b>Obtain and prepare a certificate</b></p> <p>You need to obtain an SSL certificate from your certificate authority (CA) vendor and make sure, that this certificate is signed by a party, that is trusted on all your computers. Also, you need to make sure, that your certificate is in <a rel="nofollow" href="https://en.wikipedia.org/wiki/PKCS_12">PKCS 12 format</a> (this format usually has file extensions *.p12 or *.pfx, you can convert the certificate to PKCS 12 format, the party providing the certificate should be able to provide you instructions). </p> <p>Then you need to import <a rel="nofollow" href="https://en.wikipedia.org/wiki/PKCS_7">PKCS 7 certificate</a> to a keystore. You can do this with the following command:</p> <b>Import the certificate to the keystore</b> <table border="0" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><code class="code codeInline" spellcheck="false" tabindex="0">%JDK_HOME%</code><code class="code codeInline" spellcheck="false" tabindex="0">/bin/keytool</code> <code class="code codeInline" spellcheck="false" tabindex="0">-importcert -</code><code class="code codeInline" spellcheck="false" tabindex="0">alias</code> <code class="code codeInline" spellcheck="false" tabindex="0">server -keystore %PATH_TO_KEYSTORE% -</code><code class="code codeInline" spellcheck="false" tabindex="0">file</code> <code class="code codeInline" spellcheck="false" tabindex="0"><path-to-chain-p7.pem></code></td></tr></tbody></table><p>Where:</p> <ul><li>JDK_HOME is your java installation directory.</li><li>PATH_TO_KEYSTORE is a path to an existing or new keystore.</li></ul><p>For example, on Windows this command may look like this:</p> <b>Import the certificate to the Keystore</b> <table border="0" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><code class="code codeInline" spellcheck="false" tabindex="0">C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool -importcert -</code><code class="code codeInline" spellcheck="false" tabindex="0">alias</code> <code class="code codeInline" spellcheck="false" tabindex="0">server -keystore server.p12 -</code><code class="code codeInline" spellcheck="false" tabindex="0">file</code> <code class="code codeInline" spellcheck="false" tabindex="0">mycertchain.pem</code></td></tr></tbody></table><p id="UsingFSecureEndpointProxywithSoftwareUpdater-ReplacethedefaultPMProxy"><b>Replace the default Policy Manager Proxy</b></p> <p id="UsingFSecureEndpointProxywithSoftwareUpdater-Javaapplicationsexpectallcertificatestobestoredinthejavakeystore.Newcertificatescanbeimportedusingkeytoolwhichislocatedunderthejavainstallationlocationsbindirectory.Youcanimportthecertificatetothekeystorewithth">Java applications expect all certificates to be stored in the java keystore. New certificates can be imported using the key tool which is located under the java installation locations bin directory. You can import the certificate to the keystore with the following command:</p> <b>Import the certificate to the keystore</b> <table border="0" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><code class="code codeInline" spellcheck="false" tabindex="0">%JDK_HOME%</code><code class="code codeInline" spellcheck="false" tabindex="0">/bin/keytool</code> <code class="code codeInline" spellcheck="false" tabindex="0">-importkeystore</code><br><code class="code codeInline" spellcheck="false" tabindex="0"> </code><code class="code codeInline" spellcheck="false" tabindex="0">-destkeystore </code><code class="code codeInline" spellcheck="false" tabindex="0">"%FSPMS_HOME%\data\fspms.jks"</code><br><code class="code codeInline" spellcheck="false" tabindex="0"> </code><code class="code codeInline" spellcheck="false" tabindex="0">-deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD</code><br><code class="code codeInline" spellcheck="false" tabindex="0"> </code><code class="code codeInline" spellcheck="false" tabindex="0">-srckeystore <MyCert.p12> -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias %ALIAS%</code></td></tr></tbody></table><p>Where:</p> <ul><li>%JDK_HOME% with your java installation directory.</li><li>%FSPMS_HOME% with your PMP proxy installation directory.</li><li>%ALIAS% with the preferred alias for the certificate in the keystore.</li></ul><p>For example, on Windows this command may look like this:</p> <b>Import the certificate to the keystore</b> <table border="0" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><code class="code codeInline" spellcheck="false" tabindex="0">"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool"</code> <code class="code codeInline" spellcheck="false" tabindex="0">-importkeystore</code><br><code class="code codeInline" spellcheck="false" tabindex="0">-destkeystore </code><code class="code codeInline" spellcheck="false" tabindex="0">"C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks"</code><br><code class="code codeInline" spellcheck="false" tabindex="0">-deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD</code><br><code class="code codeInline" spellcheck="false" tabindex="0">-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias server</code><br><code class="code codeInline" spellcheck="false" tabindex="0"> </code> <br><code class="code codeInline" spellcheck="false" tabindex="0">Existing entry </code><code class="code codeInline" spellcheck="false" tabindex="0">alias</code> <code class="code codeInline" spellcheck="false" tabindex="0">server exists, overwrite? [no]:</code><br><code class="code codeInline" spellcheck="false" tabindex="0">-> </code><code class="code codeInline" spellcheck="false" tabindex="0">yes</code></td></tr></tbody></table><p id="UsingFSecureEndpointProxywithSoftwareUpdater-ConfigureyourPMProxytouseHTTPS"><b>Configure your Policy Manager Proxy to use HTTPS</b></p> <ol><li>Navigate in the registry to "HKLM\SOFTWARE\Wow6432Node\DataFellows\F-Secure\Management Server"</li><li>Add "-DpsbProxyMode=true" to "additional_java_args"</li><li>Check that "HttpsPortNum" is 443 (If isn't change it to 443 decimal value)</li><li>Exit registry editor and restart PMP proxy</li></ol><p><br><img alt="User-added image" height="158" src="https://us.v-cdn.net/6032052/uploads/ZUS1WQDWMFCX/kcs-0em67000002dzxm.png" width="500" class="embedImage-img importedEmbed-img"></img><br> </p> <p id="UsingFSecureEndpointProxywithSoftwareUpdater-ReadytoGo"><b>Ready to Go</b></p> <p>Now your F-Secure Endpoint Proxy is configured to work with Software Updater. If you want to know more about how Software Updater works with F-Secure Endpoint Proxy, you can check the "Additional Information" section below.</p> <p id="UsingFSecureEndpointProxywithSoftwareUpdater-HowtoconfigureclientmachineswhenPMPisusingaself-signed(nottrusted/commercial)certificate"><b>How to configure client machines when PMP is using a self-signed (not trusted/commercial) certificate</b></p> <blockquote class="blockquote"> <p><b>WARNING</b>: Use this guide only for testing purposes as it's a less secure way to serve installation packages.</p> </blockquote> <p>If you decided for testing purposes to use a not trusted certificate, then you need to make this certificate trusted on every client machine, which is working together with Policy Manager Proxy, otherwise, Software Updater is not able to establish a connection to PM Proxy as the connection is untrusted.</p> <p>To set up a client environment you need to open a Microsoft Management Console (open start menu, type there <b>mmc</b> and <b>run</b> it with administrator privileges: <br><br><img alt="User-added image" height="388" src="https://us.v-cdn.net/6032052/uploads/Z1HQXSEUFAJE/kcs-0em67000002dzxr.png" width="500" class="embedImage-img importedEmbed-img"></img><br><br>Then press <b>File</b> →<b> Add/Remove snap-in..</b>.:<br><br><img alt="User-added image" height="353" src="https://us.v-cdn.net/6032052/uploads/3LPWT159TSAD/kcs-0em67000002dzxw.png" width="500" class="embedImage-img importedEmbed-img"></img><br><br> </p> <p>Select <b>Certificates</b> on the left side menu and press the <b>Add</b> button, then press the <b>OK</b> button.</p> <p><br><img alt="User-added image" height="353" src="https://us.v-cdn.net/6032052/uploads/3FX679JZXBFV/kcs-0em67000002dzy6.png" width="500" class="embedImage-img importedEmbed-img"></img></p> <p>Then on the left sidebar, you need to navigate to Console Root → Certificates → Trusted Root Certification Authorities → Certificates:<br><br><img alt="User-added image" src="https://us.v-cdn.net/6032052/uploads/RL6A7F9NSHAK/kcs-0em67000002dzyb.png" class="embedImage-img importedEmbed-img"></img><br><br> </p> <p>Right-click on <b>Certificates</b> and select <b>All tasks</b> → <b>Import...</b></p> <p><br><img alt="User-added image" src="https://us.v-cdn.net/6032052/uploads/O66MQTLXO4BK/kcs-0em67000002dzyg.png" class="embedImage-img importedEmbed-img"></img><br><br> </p> <p>Follow the wizard and choose your generated CA certificate, that you need to make trust.</p> <p id="UsingFSecureEndpointProxywithSoftwareUpdater-AdditionalInformation"><u><b>Additional Information</b></u></p> <p id="UsingFSecureEndpointProxywithSoftwareUpdater-F-SecureProxymode"><b>F-Secure Proxy mode</b></p> <p>Software Updater and F-Secure Proxy can work together in 3 modes: use always only F-Secure Proxy, use F-Secure Proxy only if possible or never use F-Secure Proxy.<br><br><img alt="User-added image" height="241" src="https://us.v-cdn.net/6032052/uploads/OFV7OPL1VB0Y/kcs-0em67000002dzyl.png" width="500" class="embedImage-img importedEmbed-img"></img><br> </p> <p>Depending on the selected mode, Software Updater may act differently. </p> <ul><li>"Always" means, that Software Updater always uses only F-Secure Proxy and never downloads installation packages from the outer Internet.</li><li>"If possible" means, that Software Updater tries to download an installation package from F-Secure Proxy three times, and if all three times it failed to download the package, then it goes to the outer Internet.</li><li>"Never" means, that Software Updater does not use F-Secure Proxy at all.</li></ul><p>Article no: 000019006</p> </article> </main>